Preventing MITRE Att&cks with Zero Trust

MITRE att&ck is a framework of most known adversary tactics and techniques. This framework can be used by CISOs and red teamers to analyze the state of their network security, so they can take the relevant security measures. Zero trust is a MITRE recommended security model. Learn why and how you can protect yourself from MITRE att&cks with the zero trust security model.

But first, let’s understand what the MITRE Att&ck framework is.

What is MITRE Att&ck?

Released in 2015, the MITRE Att&ck (MITRE Adversarial Tactics, Techniques, and Common Knowledge) is a comprehensive framework or knowledge base of cyber attacker tactics and techniques. The framework was developed by the MITRE organization, and can be used by CISOs, security teams, red teamers and threat hunters to assess their attack surface and build better security models.

MITRE Attack Tactics and Techniques

The MITRE Att&ck framework currently spans 14 subsequent tactics:

1. Reconnaissance - gathering information for cyber attacks

2. Resource Development - acquiring and establishing assets to prepare for the attacks

3. Initial Access - gaining initial foothold into the network

4. Execution - attempts to run malicious code

5. Persistence - maintaining access against interruptions and restarts, for example by hijacking code

6. Privilege Escalation - gaining higher-level permissions

7. Defense Evasion - avoiding detection, for example by disabling security software

8. Credential Access - stealing account names and passwords

9. Discovery - gaining knowledge about the system for planning the next steps

10. Lateral Movement - exploring the network, entering and controlling systems

11. Collection - gathering valuable data, usually for stealing 

12. Command and Control - communicating with compromised systems to control them

13. Exfiltration - stealing data from the network

14. Impact: techniques to manipulate, interrupt, and destroy systems and data

Each of these tactics currently include 6-37 attack techniques, and some of the techniques also include sub-techniques. For example, phishing is a technique in the “initial access” tactic. It includes three sub-techniques: spear phishing attachment, spear phishing link and spear phishing via service.

How to Use the MITRE Att&ck Framework

The att&ck knowledge base was built on real-world observations and is constantly getting updated. Therefore, it has become a reliable source for threat modeling and a benchmark. For example, penetration testers will follow the steps in the att&ck framework to assess a network’s vulnerability. 

It is recommended for CISOs to observe and prioritize each technique according to their networks, and implement relevant security controls and tools. One of the prominent threat resolution security models for Att&ck is zero trust.

MITRE Att&ck and Zero Trust

Zero trust is a security model that focuses on users, assets and devices instead of the perimeter. ZT principles assume no implicit trust. Therefore, a zero trust architecture will grant access to assets and networks based on authentication and authorization of users and devices, and not based on their physical or network location.

Zero trust is a MITRE recommended security approach, because it creates access limits that deter attacks. By placing security resources as close as possible to the end-user, zero trust stops most adversaries at the reconnaissance stage. This means that with zero trust, adversaries never enter the network. 

Reconnaissance is the first stage in the MITRE Att&ck framework. Zero trust prevents active scanning and gathering host information by cloaking the network and blocking perpetrator visibility. Preventing cyber attackers from progressing to the next phases significantly reduces the attack surface of any organization implementing zero trust.

In addition, in the case of a hacker who is already inside the network, zero trust can help prevent many of the attack techniques in the remaining 13 tactics.

For example:

• Initial access - Many perpetrators are tunneled into enterprise networks through VPNs. By replacing VPNs, zero trust minimizes the attack surface. In addition. Zero trust blocks the ability to use stolen credentials by adding MFA and real-time monitoring.

• Execution, Persistence & Privilege Escalation - Zero trust filters and restricts API access and host commands to prevent malicious code from running.

• Defense Evasion - Zero trust provides full visibility through session record, transcripting and request logging. By adding logs, information exists to be able to detect user actions.

• Credential Access - Cyolo leverages a vault so passwords always stay safe. In addition, zero trust secures user accounts with MFA and provides end-to-end encryption to protect from MITM.

• Lateral Movement - Zero trust mitigates lateral movement by preventing network access and providing service segmentation so users only get brokered access to specific applications.

• Collection - Zero trust provides mitigating controls such as prohibiting file download or file transfer. 

How to Get Started with Zero Trust

Implementing Zero Trust is a simple process that can take less than an hour.

1. First, add a ZT connector that will connect to your cloud broker.

2. Configure your identity provider

3. Create policies

4. Run side by side with your VPN, or replace your VPN completely.

How to Choose a ZTNA Provider

When choosing a provider, it’s important to find a zero trust solution that can provide you with the business flexibility you need, while abiding by the Zero Trust principles of trusting no one. Cyolo is the only ZTNA provider that gives you 360 degree protection by letting you and only you keep your keys, passwords, and policies.